Before you begin your security awareness training program, we strongly recommend sending an unannounced simulated phishing test to all of your users. This test will help you establish a baseline for your organization.

The results of this baseline phishing test will show your organization's initial Phish-prone Percentage. The Phish-prone Percentage is the percentage of users who are likely to click on a phishing email. Consider this initial Phish-prone Percentage the baseline, or starting point, for your organization. Your organization's overall Phish-prone Percentage, or Account Average Phish-prone Percentage, is based on the Phish-prone Percentage of your active users who have received at least one Phishing Security Test. As you conduct ongoing phishing tests, compare your organization's Phish-prone Percentage with the initial Phish-prone Percentage to measure the success of your security awareness training plan.

Why Shouldn't I Announce the Test?

We recommend conducting an unannounced baseline phishing test in order to get the most accurate results. By not announcing the test, you can see how vulnerable your organization would be if a real phishing attack made it through your email filters. Having this insight can help you gain buy-in from your stakeholders. To learn more, please see: How Can I Engage My Stakeholders in My Security Awareness Training Plan?.

Recommended Settings for the Baseline Test Campaign

Tip:After you've whitelisted and before you create a baseline phishing campaign, we recommend running at least one test campaign that is limited to a small group of users. To learn more, see the Preliminary Test Campaign section of our Quickstart Implementation Guide.

To create your baseline campaign, go to Phishing > + Create Phishing Campaign. We recommend using the following settings for your baseline test campaign:

Note: All phishing campaigns are localized by default.

1. Campaign Name: Name your campaign something descriptive, such as "Baseline Test".
2. Send to: Select All Users.
3. Frequency: Select One-time.
4. Start Time: From the drop-down menus, select the desired date and time for your baseline test. The time you select should be during your organization's business hours as that is when your users are actively checking their emails.
5. Sending Period: Select Send all emails when the campaign starts. When this setting is selected, emails will begin sending as soon as the campaign begins. The timing of sending and delivery will vary, depending on the number of users in the campaign. In most campaigns, all emails will be sent within an hour after the campaign starts..
6. Track Activity: We recommend that you track phishing test failures for at least three days. For more information about sending and tracking periods, see our How to Monitor and Review Phishing Campaigns article.
7. Track Replies to Phishing Emails: You can turn this setting on if you wish to track your users' replies to the phishing test emails. For more information about reply-to phishing, see our Reply-To Phishing article.
8. Template Topics: Select the Phishing for Sensitive Information category from the drop-down menu.
9. Set Template Language: If enabled, this setting will override the phishing language set in users’ profiles. For more information about your language settings, please visit our Localization Guide.
10. Difficulty Rating: This setting estimates how sophisticated a template is and how likely it is to trick your users into failing. For this campaign’s purposes, keep the Difficulty Rating set to All Ratings.
11. Template Selection: From the drop-down menu, select Specific Template (Choose one template).
12. Specific Template: Select the IT: Password Check Required Immediately phishing template. 
    1. Preview: Clicking Preview will reveal the phishing template you are sending to your users.
13. Phish Link Domain: Choose a domain to use for the phishing link. This choice is the domain that your users will see when they hover over the phishing link, so choose one that looks safe to click on.
14. Landing Page: Keep Default Landing Pages selected.
15. Add Clickers To: For this campaign’s purposes, you do not need to make a selection.
16. Send an email report to account admins after each phishing test: Select this checkbox so that an email will be sent to all of your account administrators after the test is complete. This email report will be sent to administrators after the Track Activity time period has concluded.

After the Baseline Test

After the baseline phishing test, your users may be confused or concerned about the email that they received. To help with this confusion, we recommend that you send an email explaining what the phishing test was, and you can even share your organization's Phish-prone Percentage to emphasize the importance of security awareness training. We've provided a template that you can use for this email, please see: Template for After Your Baseline Phishing Test.

We recommend enrolling your users in security awareness training shortly after conducting your baseline phishing test. To learn more, see Best Practices Guide: Create Your First Training Campaign.

Once users have completed their initial security awareness training assignment, we recommend that you conduct ongoing phishing tests so that your users can practice the skills they've learned as part of their training. To learn more about ongoing phishing tests, see our Best Practices Guide.